Not compatible with EE password lifetime feature
null93 opened this issue · 2 comments
EE has a password lifetime feature that forces uses to reset their password every configured number of days (90 days default). When the password expires, Magento redirects users to the "My Account" page and forces them to reset their password. Currently this plugin forces a redirect to the verification page.
Some possible solutions would be to whitelist the [backend_path]/system_account/index and [backend_path]/system_account/save routes. This means that users will be able to change their passwords even if they do not authenticate through 2fa.
Another possible solution is to try to run before the enterprise_pci event in the Enterprise_Pci module. This way we still authenticate and only after authentication, we can force to change a user password. This is probably ideal because we are not while-listing routes. An additional challenge that this method poses is that this implementation needs to work for CE and EE versions of magento. Since the Enterprise_Pci module is not included in CE, and therefore the password lifetime feature is not included in CE, it will be a challenge to get it working for both in one module without copying code.
Another possible solution is to rewrite the enterprise_pci/observer class by inheriting from it and running twofactor/observer::preAdminHtml. We can then check to see if $admin->getTwoFactorAllow () is true and if it is then we can run the enterprise_pci/observer::forceAdminPasswordChange method that is attached to the parent. This will solve this issue and also ensure that 2FA authentication is completed before attempting to update user's password.
There is a possible drawback though. Since we are referencing a module that is only available in EE versions of Magento, that means that we might need to start releasing two different types of modules (EE and CE).
After further inspection the possible drawback in the previous comment can be ignored since Magento does not load the twofactor/rewrite_observer class until it is needed. This means that this solution is best because it enforces 2FA authentication before forcing admin password resetting. It will also work as a single version for EE and CE.